diff --git a/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch b/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch index 141ef46..d49851c 100644 --- a/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch +++ b/tigervnc-add-option-allowing-to-connect-only-user-owning-session.patch @@ -33,7 +33,7 @@ index 3831812..736a563 100644 if (client->accessCheck(AccessNoQuery)) { diff --git a/unix/xserver/hw/vnc/XserverDesktop.cc b/unix/xserver/hw/vnc/XserverDesktop.cc -index d4ee16b..dce1f6c 100644 +index d4ee16b..a537534 100644 --- a/unix/xserver/hw/vnc/XserverDesktop.cc +++ b/unix/xserver/hw/vnc/XserverDesktop.cc @@ -52,6 +52,11 @@ @@ -48,7 +48,7 @@ index d4ee16b..dce1f6c 100644 extern "C" { void vncSetGlueContext(int screenIndex); void vncPresentMscEvent(uint64_t id, uint64_t msc); -@@ -71,7 +76,14 @@ IntParameter queryConnectTimeout("QueryConnectTimeout", +@@ -71,7 +76,15 @@ IntParameter queryConnectTimeout("QueryConnectTimeout", "Accept Connection dialog before " "rejecting the connection", 10); @@ -58,13 +58,14 @@ index d4ee16b..dce1f6c 100644 +("ApproveLoggedUserOnly", + "Approve only the user who is currently logged into the session." + "This is expected to be combined with 'plain' security type and with " -+ "'PlainUsers=*' option allowing everyone to connect to the session.", ++ "'PlainUsers=*' option allowing everyone to connect to the session." ++ "Default is off.", + false); +#endif XserverDesktop::XserverDesktop(int screenIndex_, std::list listeners_, -@@ -168,11 +180,117 @@ void XserverDesktop::init(rfb::VNCServer* vs) +@@ -168,11 +181,121 @@ void XserverDesktop::init(rfb::VNCServer* vs) // ready state } @@ -108,7 +109,11 @@ index d4ee16b..dce1f6c 100644 + } + + std::string serverDisplay = ":" + std::to_string(screenIndex); -+ if (strcmp(display, serverDisplay.c_str()) != 0) { ++ std::string serverDisplayIPv4 = "127.0.0.1:" + std::to_string(screenIndex); ++ std::string serverDisplayIPv6 = "::1:" + std::to_string(screenIndex); ++ if ((strcmp(display, serverDisplay.c_str()) != 0) && ++ (strcmp(display, serverDisplayIPv4.c_str()) != 0) && ++ (strcmp(display, serverDisplayIPv6.c_str()) != 0)) { + free(display); + continue; + } @@ -201,10 +206,10 @@ index e604295..aed188e 100644 std::list* sockets, rfb::VNCServer* sockserv); diff --git a/unix/xserver/hw/vnc/Xvnc.man b/unix/xserver/hw/vnc/Xvnc.man -index b9c429f..17df086 100644 +index b9c429f..e4822f6 100644 --- a/unix/xserver/hw/vnc/Xvnc.man +++ b/unix/xserver/hw/vnc/Xvnc.man -@@ -204,6 +204,12 @@ to allow any user to authenticate using this security type. Specify \fB%u\fP +@@ -204,6 +204,13 @@ to allow any user to authenticate using this security type. Specify \fB%u\fP to allow the user of the server process. Default is to deny all users. . .TP @@ -212,6 +217,7 @@ index b9c429f..17df086 100644 +Approve only the user who is currently logged into the session. +This is expected to be combined with "Plain" security type and with +"PlainUsers=*" option allowing everyone to connect to the session. ++Default is off. +. +.TP .B \-pam_service \fIname\fP, \-PAMService \fIname\fP diff --git a/tigervnc.spec b/tigervnc.spec index 60c8f79..1f8f07c 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -5,7 +5,7 @@ Name: tigervnc Version: 1.14.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -402,6 +402,10 @@ fi %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Fri Oct 04 2024 Jan Grulich - 1.14.0-5 +- Fix "ApproveLoggedUserOnly" option not working in some setups + Resolves: RHEL-34880 + * Fri Sep 27 2024 Jan Grulich - 1.14.0-4 - Add option "ApproveLoggedUserOnly" allowing to connect only the user owning the running session